ClawHub

Dada

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only Dada delivery API helper whose personal-data handling is expected for delivery integration, with no hidden execution or persistence found.

Reasonable to install as a developer reference. Before production use, keep API secrets out of chats and logs, test against the QA endpoint, confirm live order creation or cancellation, protect callback endpoints, validate signatures, and redact or minimize customer and courier names, phone numbers, addresses, coordinates, signatures, and order identifiers in logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly documents sending recipient personal data such as name, phone number, address, and location to an external delivery platform, but it does not warn users about privacy implications, consent requirements, retention, or third-party processing. In a logistics integration skill this data flow is expected, but omission of clear privacy/security guidance can lead developers to implement personal-data transfers without appropriate notice, legal basis, or protection controls.

Missing User Warnings

Low
Confidence
91% confidence
Finding
The callback section states that the user's system will receive courier data including name and mobile number, but it does not warn that this constitutes inbound processing of third-party personal data that must be protected. This is less severe than the outbound customer-data issue, but it can still cause unintended overcollection, insecure storage, or unauthorized internal exposure of courier PII.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal